CVE-2022-43522:Aruba EdgeConnect Enterprise Orchestrator's web-based management interface contains multiple SQL injection vulnerabilities that authenticated remote attackers can exploit to read, modify, or delete data in the underlying database and potentially take full control of the Orchestrator host. Affected releases include Orchestrator 9.2.1.40179 and earlier across on-premises, SaaS, SP, and Global Tenant variants.

splash
Back

Description Preview

These are multiple SQL injection vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator. An authenticated remote attacker could exploit these flaws to perform unauthorized SQL queries against the underlying database, enabling the theft and modification of sensitive data and potentially leading to complete compromise of the Orchestrator host. The vulnerabilities affect Aruba EdgeConnect Enterprise Orchestrator (on-premises), Orchestrator-as-a-Service, Orchestrator-SP, and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators, across versions 9.2.1.40179 and below, 9.1.4.40436 and below, 9.0.7.40110 and below, 8.10.23.40015 and below, and any older branches not specifically mentioned. The CVSS v3.1 base score is 8.8 (HIGH), with network attack vector, low attack complexity, required low privileges, and no user interaction; impacts to confidentiality, integrity, and availability are all HIGH. Aruba’s advisory emphasizes applying the vendor-provided fix to mitigate the risk.

Overview

Multiple SQL injection vulnerabilities exist in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator. Exploitation requires an authenticated remote attacker and could lead to unauthorized data access, data modification, and potentially full compromise of the Orchestrator host across affected product variants and versions. The vulnerabilities are rated high severity (CVSS v3.1 base score 8.8), have a network attack vector, low complexity, and require minimal privileges with no user interaction, affecting confidentiality, integrity, and availability. Affected releases span several 9.x and older branches for on-premises, SaaS, SP, and Global Tenant Orchestrators.

Remediation

  • Upgrade to the fixed version per Aruba PSA ARUBA-PSA-2022-021. Ensure all affected variants (on-premises Orchestrator, Orchestrator-as-a-Service, Orchestrator-SP, and Global Enterprise Tenant Orchestrators) are updated to non-vulnerable releases.
  • If immediate upgrade is not feasible, implement compensating controls:
    • Restrict access to the web-based management interface to trusted networks (e.g., via VPN, IP allowlists, or strict network segmentation).
    • Enforce strong authentication; enable MFA if available and review account privileges to minimize risk.
    • Disable or tightly control external exposure of the management interface.
    • Deploy a web application firewall or API gateway with SQL injection protections and enable detailed logging and alerting for suspicious query patterns.
    • Validate and sanitize inputs at the application layer and ensure parameterized queries are used where possible; coordinate with the vendor for remediation guidance.
    • Maintain recent backups, perform regular vulnerability scans, and plan for a test/validation cycle in a staging environment before applying patches.
  • After applying the fix or mitigations, re-test to confirm the vulnerabilities are resolved and monitor vendor advisories for any additional guidance or new affected versions.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background